Using Metadata v2
- Print
- PDF
Using Metadata v2
- Print
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Available in VPC
Overview
You can use the calling method of Metadata v2 to compensate for the SSRF security vulnerability of Metadata v1.
- Metadata v1 - request/response method
- Metadata v2 - session-oriented method
Depending on the configuration of the server instance, you can use both v1 and v2, or only use v2.
Metadata v1 security vulnerability
When operating a service or running software on a server instance that can use the Metadata v1 method, additional measures and precautions may be required to prevent exposure of meta data (server or role data).
If there is an SSRF vulnerability in the running service and you are not aware of it, you can call the Metadata API of the server instance from the outside and acquire meta data.
In order to block these security vulnerabilities, you must change the Metadata version setting of the server instance to only use v2.
The Metadata v2 method can protect meta data exposure due to SSRF vulnerabilities by issuing tokens through the PUT method and performing token authentication for Metadata API calls.
Set the Metadata version of the server instance
After creating the server instance, you can only change settings through the console.
- Connect to server console [Services > Compute > Server]
- Select version through the [Server management and configuration change > Metadata API management] menu
- v1 and v2
- Both v1 and v2 versions are available.
- Classification of v1 and v2 methods depending on whether or not the token header is passed when calling the Metadata API
- Performs request without authentication process when token header is not entered
- Performs request including authentication of the header value passed when token header is entered
- v2 (token required)
- Only v2 version available
- Required input of token header value when calling Metadata API
Examples
- Header
- X-NCP-METADATA-TOKEN-TTL-SECONDS: header to set session duration (seconds) when issuing tokens (1 to 21600 seconds)
- X-NCP-METADATA-TOKEN: header to deliver token issued when calling Metadata API
Separate command
[roor@test-server ~]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-NCP-METADATA-TOKEN-TTL-SECONDS: 21600"`
[root@test-server ~]# curl -H "X-NCP-METADATA-TOKEN: $TOKEN" http://169.254.169.254/latest/meta-data
Combined command
[root@test-server ~]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-NCP-METADATA-TOKEN-TTL-SECONDS: 21600"` \
&& curl -H "X-NCP-METADATA-TOKEN: $TOKEN" http://169.254.169.254/latest/meta-data
Note
An error message may be stored in a variable if the token was not issued normally.
Metadata API calls do not work properly in this case.
Authentication error response
[root@test-server ~]# curl -H "X-NCP-METADATA-TOKEN: wrong-token" -i http://169.254.169.254/latest/meta-data
HTTP/1.1 401 401
Date: Tue, 11 Apr 2023 02:42:02 GMT
Server: Apache
Referrer-Policy: unsafe-url
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain;charset=UTF-8
Unauthorized.
[root@test-server ~]#
Was this article helpful?